From: John Kay johnk@javanet.com To: NTIA.NTIAHQ(privacy) Date: 6/14/98 1:21am Subject: Consumer privacy Dear Shirl Kinney; While looking for information regarding the legal viability of Electronic/Digitally archived documents and legal guidelines I chanced up you requests for commentary in regards to "A Framework for Global Electronic Commerce". Since I work in the IT industry I would like to add in my thoughts to help out in defining future policies. First off I think that Self-regulation of privacy issues by all industries is a nobel idea but will fall by the way-side in certain manufacturing and service industires because of their volitile market and low-margin pricing strategies which require the push for larger market shares to maintain profitablity. Instead I would suggest that regulation and standards be handled either by the International Standards Organization, who offer consumer certifications of compliances (i.e. ISO 9001) for the global marketplace, or possibly a Consumer advocational body like the Better Business Buerau. The main difficulty really lies in the scope of definition of what should be encompased by the term "Consumer privacy rights". The best tact to take to address this issues is to either create or revise a "Consumer's Bill of Rights" which would, if it doesn't already exist, articles pertaining to privacy as well as many others regarding consumer rights for legal actions against businesses. By no means do I hope that such a "Bill of Rights" should interfer with the ethical and profitable business practices in present and future incarnations. The largest irritating business practice in use today are unsolicited mail (a.k.a. junk mail) sent from a purchased mailing list or customer list, and the ever pervasive "Telemarketing". I have encountered the good and bad varieties of these techniques and have found that usually, at least in telemarketing, that harasment usually stems not from the company but rather the employee making the call. I have worked as a telemarkter for a little bit to make ends meet, but we had a "soft-sell" policy. We nevered harassed or tried to be so aggressive as to be harrasing. This is where I view the need to start clear-cut policies disseminated to the general public on this particular type of harrasment and how to combat it. When it comes to privacy most consumers are powerless right now. Mailing lists can be bought and sold like any other type of product right now. Data should flow to allow big and small business alike to have access to the publicum in order to make the public aware of the products and services they offer - this stimulates competition - but at what cost to the consumer? Harassment by over zealous representatives? And who can buy your data? Right now, as I am aware, any business can buy data on groups of people or even highly defined groups for the right price. So what do we do? Stifle competition by restricting data flow which might be cruical to a businesses survival or allow rampant data sharing generating more unsolicited information, which we consumers either throw away or delete wasting time and resources. Do we allow a company devoted to consumer data wharehouse gobs of consumer buying trends and histories, and then market lists to companies producing such products and services we purchase with frequency? This might reak of a "Big Brother/Big Corporation" situation, but I wouldn't be suprised if there are already business that do just that. So should we make the solicitor be responsible for the transmission of their "Private data" or the seller and or the collector of the data? I would probably suggest the latter; make the collector and/or seller of such information liable for harasment or damages caused there by becasue they are the one who are profiting from "your data / your services or product of existance". The solicitor may also incure penalties, specifically monetary, for their harrasing techniques, but the sellers and collectors make their monies whether a sale occurs or not and you never see a cent of that money which you earned by feeding their database through your living and consuming products and services. To summerize their DOES need to be a type of data accounting (origination), data collectors and sellers are ultimately responsible for damages caused by abuses of "personal data" and consumers need a recourse in order to either collect these damages or stop their "personal data" from leaving their services and products providers' consumer databases. I hope that I have added something, at minimum a citizen's vote, to your considerations regarding this issue of personal data privacy. If you feel that my opinion has not been clear or you want to ask me any questions regarding my opinion, then please feel free to contact me at this address. Sincerely, John K. P.S. sorry about any mispellings I don't have a spell checker on my e-mail client.